CVE-2010-2947: LibHX Heap Based Buffer Overflow

The libHX is a well known C library which is used in various popular Linux distributions including Ubuntu, Fedora, Mandrake etc. and other operating systems. On August 2010, Jan Engelhardt reported a heap based memory corruption vulnerability in the HX_split() routine which can be found at src/string.c.

The fourth argument of this routine (represented using ‘max’ integer) is used to set the maximum number of fields in the given string. As you can read, if this is 0 the code will use the counter pointer as the maximum value. Otherwise, it will check that the counter pointer is greater than the value of ‘max’ and use this to allocate enough heap space using malloc(3). Finally, if none of these happen it will directly use ‘cp’ to allocate the required space using malloc(3). However, the actual code that will place the splitted string in the heap allocated ‘ret’ array uses the ‘max’ value as a counter to its ‘while’ loop. This means that in case of a ‘max’ value greater than the actual ‘cp’ (string’s length) the ‘while’ loop will keep writing data beyond the bounds of the heap allocated ‘ret[]’ resulting in memory corruption.
The following patch was applied to fix this bug:

That simply checks that the maximum number of arguments (the ‘max’ integer) isn’t greater than the string’s counter (the ‘cp’ one).
In addition to this, a new test case call was added in src/tx-string.cpp like this: